WSDocInfo docInfo = new WSDocInfo(validateTargetElement.getOwnerDocument());
// Verify the signature
Signature sig = assertion.getSignature();
KeyInfo keyInfo = sig.getKeyInfo();
SAMLKeyInfo samlKeyInfo =
SAMLUtil.getCredentialFromKeyInfo(
keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo), sigCrypto
);
assertion.verifySignature(samlKeyInfo);
SecurityToken secToken = null;
byte[] signatureValue = assertion.getSignatureValue();
if (tokenParameters.getTokenStore() != null && signatureValue != null
&& signatureValue.length > 0) {
int hash = Arrays.hashCode(signatureValue);
secToken = tokenParameters.getTokenStore().getToken(Integer.toString(hash));
if (secToken != null && secToken.getTokenHash() != hash) {
secToken = null;
}
}
if (secToken != null && secToken.isExpired()) {
LOG.fine("Token: " + secToken.getId() + " is in the cache but expired - revalidating");
secToken = null;
}
if (secToken == null) {
// Validate the assertion against schemas/profiles
validateAssertion(assertion);
// Now verify trust on the signature
Credential trustCredential = new Credential();
trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
trustCredential.setCertificates(samlKeyInfo.getCerts());
trustCredential = validator.validate(trustCredential, requestData);
// Finally check that subject DN of the signing certificate matches a known constraint
X509Certificate cert = null;